分布式防火墙与入侵检测系统的联动技术研究

【作者】 张前忠；

【导师】 陈清华；

【作者基本信息】 南京理工大学 ， 计算机应用技术， 2008， 硕士

【摘要】 传统的边界防火墙存在单点失效和性能瓶颈的局限性,而且依赖于网络的拓扑结构实施其安全策略。在网络高速发展的今天,传统防火墙的局限性越发显得明显,分布式防火墙正是在这样的背景下产生的。通过将防火墙分布到具体的受保护主机上,分布式防火墙可以解决单点失效和性能瓶颈的问题。然而,分布式防火墙虽然解决了传统防火墙面临的许多问题,但其自身也面临着以下的缺陷:1、传统的基于访问控制点的入侵检测方式难以实施;2、日志文件在各主机和中心策略服务器之间频繁地传送将极大地增加网络通信量;3、未能解决跨平台管理问题、对用户完全透明和即插即用问题,这几个问题的解决才能使得分布式防火墙得到更广泛的应用。分布式入侵检测系统(DIDS,Distributed Intrusion Detection System)是一种自顶向下树状的分级多层次结构,它把各个子系统安排到不同的节点上,各节点充分发挥自身性能、相互协调地完成任务,能够适应网络通信的需要,方便进行扩充与缩减。本文在分析了分布式防火墙和分布式入侵检测系统现状的基础上提出了一个基于分布式防火墙的入侵检测联动系统模型。通过使用代理服务器构建分布式代理防火墙分别对不同的服务器实施保护,防火墙直接从中心策略服务器获取并实施防御策略,而分布式入侵检测系统是一种分布于网络环境的入侵检测系统,用来监视与网络相连的主机及网络自身,关键技术是检测信息的协同处理与入侵攻击的全局信息的提取,然后传送至中心策略服务器,同时,中心策略服务器通过分布式防火墙从联动的入侵检测系统获取制定策略的依据,再通过专家系统或管理员分析配置,形成全局一致的可执行的防御策略,在这个模型中,分布式代理防火墙之间合理的策略协同是保证它能高效运作的基础,分布式防火墙技术与入侵检测技术结合在一起,利用分布式防火墙技术既实现了对入侵检测所需网络数据的获取,又解决了传统入侵检测不能进行主动控制的问题,同时,网络入侵检测的结果也为防火墙的安全管理策略提供了依据,从而大大提高系统的安全防护水平,实现网络安全立体纵深、多层次的防御体系以及智能访问控制能力。本文重点讨论了入侵检测系统与分布式防火墙的协作联动问题。更多还原

【Abstract】 Conventional firewall, which belongs to perimeter firewall, is subject to single-entry point and a performance bottleneck. Furthermore, it relies on the notions of topology to implement the security policy. With the incredible development of network, the disadvantages of conventional firewall are more and more prominent. Under this circumstance, the concept of distributed firewall was proposed. Distributed firewall solves the problems of conventional firewall by distributing the firewalls to the hosts which should be protected. Although distributed firewall solves the many problems faced by the traditional firewall, it has many shortcomings as follows: the first, The traditional the intrusion detection methods based on access control points will be difficult to implement; the second, it will greatly increase network traffic that the log files were frequently exchanged between the host-server and the center strategy server; the third, these problems must be solved, such as cross-platform management, fully transparent for users and plug-and-play, the distributed firewall could be more widely applied.Distributed Intrusion Detection System is a top-down tree structure of the multi-level, the various subsystems are arranged at different nodes, they run own performance, mutual coordination to complete tasks, and meanwhile they are able to adapt to the needs of network communications, and easily the expansion and reduction.This paper presents a linkage System Model based on the firewall and the Distributed Intrusion Detection by Analyzing status of a distributed firewall and intrusion detection systems distributed. the firewall gets and implements the defensive strategy from the central strategy server directly, and protects the different servers by distributed firewall agents Construction of proxy server; the Distributed Intrusion Detection System is a intrusion detection system based on distributed network, monitors the network and the hosts connected network, the key technology is dealing the detecting Information coordination and the extracting information of invasion attack, then send to the central strategy server ; Center Strategy server makes a consistent and executable defense strategy by expert analysis system configuration or administrator configuration based on the Distributed firewall getting from the interaction of intrusion detection systems strategy from the Distributed Intrusion Detection System. In this model, A reasonable strategy for coordinated between the distributed firewall agents is the basic ensure of efficient work, it not only implements to get intrusion information from network but also solves the traditional intrusion detection not to take a active mode by integrated distributed firewall technology and intrusion detection technologies, meanwhile, the results of network intrusion detection provides a basis for firewall safety management strategy, thus, greatly improve the system security level and intelligent access control capability, implements three-dimensional depth of network security and multi-layered defense system.更多还原